Uploaded files not checked for filetype
-
Basically, a malicious user could write a testimonial, upload a virus, and use the url to spread the virus elsewhere. Effectively, the site would be hosting malware.
On a site where I have used this, I have added a couple lines of code testing whether the file really is a jpeg:
$image_mime_type = exif_imagetype($_FILES['pts_photo']['tmp_name']);I added that to pts_front_add_testimonial() and updated this line:
`if ( (strtolower($_ext) == ‘jpg’ || strtolower($_ext) == ‘jpeg’)
&& ( $image_mime_type == 2) )
.
.
.
`
But I wonder if the plugin author shouldn’t update the code to make this more secure.
- The topic ‘Uploaded files not checked for filetype’ is closed to new replies.
